Archive for December, 2014

Vulnerable machines for Pentesters

Author: Martin Voelk
December 19, 2014

Often our customers and fellow Penetration Testers ask us: Where can you test Penetration Testing tools against? We don’t wanna break anything on our live systems. Fortunately there are free great open source distributions out there which allow you to test Pentesting tools against, run you customised exploits against etc.

These days more and more servers become virtualised with VMware and other virtualisation software. It has never been that easy for Pentest professionals and aspiring Pentesters to hone their skills against vulnerable machines. If you can get your hands on a Windows XP distribution, great. If not we highly suggest to download Metasploitable 2. A distribution left intentionally vulnerable for testing purposes. Easily deployed on a VMware and the victim machine is ready to be attacked.

You can download Metasploitable 2 here: 

It come with tons of in-built vulnerabilities to be exploited. Those range from common FTP server vulnerabilities to complex Cross Site Scripting and SQL injection vulnerabilities on Web Applications. Ideal to test, play with and practice skills.

Have a great weekend everybody.


December 17, 2014

Surely most of our readers have heard and even regularly use Wikipedia. A fantastic library at your fingertips. Sometimes you may even find some semi-legal information on Wikipedia, but all in all it’s a great library.

Probably few people have heard of something called the “Hidden Wiki”. Well, it has nothing to do with the original Wikipedia and even though it very much looks alike the real Wikipedia from a design perspective, it’s very different.

The Hidden Wiki is not accessible through the “normal” Internet. It resides on various .onion domains which are only accessible through a special proxy chain VPN network called TOR. The Hidden Wiki is a repository of the criminal underworld. You will find anything from financial fraud to hacking, copyright infringement, drugs, illegal materials and so on. A Wikipedia for criminals. Often the leaks from the celebrity hacks etc. end up somewhere on the hidden Wiki.

Now the hidden Wiki is often changing it’s URL. As of December 16th 2014 the current URL is: http://zqktlwi4fecvo6ri.onion/wiki/index.php/Main_Page

A word of caution. If you ever go onto the deep web (TOR), run it from a sandbox only. i.e. install a Linux or Windows distribution in VMware and only use it to surf the deep web. There are a lot of dangers on the deep web incl. malware surf-by websites and the likes.

It’s an interesting world in there. The origins of the TOR network were not malicious at all. It was created to allow journalists in restricted countries to access resources which were filtered. These days a lot of people in Germany use it, because Youtube music is not readily available to the folks over there due to some laws. We in the US enjoy the freedom of entering an artist and song into Youtube and listen to the song. People in Germany get: “Sorry due to XYZ the title is not available in your country”. If you use TOR you will use an IP address from a different Geography and likely overcome those restrictions.

Unfortunately TOR is also being used by criminals to disguise their real identity (IP) rather effectively.

As with every aspect in life, there are always good and bad to anything.


December 15, 2014

Today we would like to share a useful resource page with you. If you have a file which you may suspect to be malicious, you can upload it there and it will run checks against the most common AV engines. We use that website too, in order to check encoded client side exploits before sending them in Social Engineering audits. Unfortunately it’s really easy to bypass common AV engines when creating malicious Payloads. The bad guys unfortunately know this too.

So which AV program is the best or in other words the hardest to get around? In our experience, the best AV engine to detect even most encoded malware is Kaspersky.

So if you receive a malicious payload, download it to a standalone sandbox (like VMware) and then upload it to Virus Total to check against common AV engines.


New Exploits are published daily

Author: Martin Voelk
December 15, 2014

Below you’ll see a snapshot of 10 new exploits which have been published in 1 single day. Imagine that times 30 per month! This is why regular Penetration Testing is so important as it becomes increasingly difficult for companies to keep up with patching and maintenance just on the Security side alone.

Screen Shot 2014-12-15 at 12.22.12


James Bond “SPECTRE” hack

Author: Martin Voelk
December 15, 2014

Parts of the new James Bond movie SPECTRE have been stolen by the Sony hack the other week. Not only does this a negative impact on Sony, but it could also lead to a lot of forced compensation payments.


We have decided to make another blog post around this topic as we receive a lot of questions daily around Pentesting Certifications from students, college grads and other IT consultants. Now if you want to offer Penetration Testing services, which certifications should I possess?

The answer is tricky. There is no international standard like with vendor certifications from Cisco, Juniper and the likes. The main question is, where do you want to conduct Pentests / where are your customers?

United States

The EC Council and the relevant certifications Certified Ethical Hacker (CEH) and Licensed Penetration Tester (LPT) are usually required for US engagements. We have also seen that companies recognise the value of the Offensive Security Certifications (OSCP, OSWP etc.) because those certs really show practical skills and the exams are 100% hands on. Mile 2, GIAC/GPEN are also gaining momentum in the US. As the US typically sets the benchmark for IT innovation and certification, those exams are a good starting point for Pentesters. As for exam fees, the CEH is around $500 USD for the exam, Offsec around $1200 for the training, lab access and the exam.

Rest of the world (Latin America, Africa, Asia, Oceania and Europe (except the UK)

The certifications which are typically asked for anywhere else in the world are the CEH and LPT from EC Council. Offensive Security also gets more and more attention outside North America.


Unfortunately they run their own country specific certification program called CREST. The content is very much alike the one from the EC Council but it’s a UK certification only. The problem with CREST is that a lot of the UK businesses require that certification for a Pentest engagement, whilst it’s completely unknown and unrecognised anywhere else in the world except for Australia. So if you are a Pentester in the UK, you have to get CREST certs for UK work and the other international ones in case you want to do engagements in mainland Europe, North America or elsewhere. We recently wanted to engage a highly skilled CREST certified contractor from the UK for a US client with offices in Europe, but the customer did not accept CREST, so we had to swap consultants on this engagement. Also the pricing is very expensive ranging from around $600 USD to $2500 USD per single exam.


It’s not as straight forward as with vendor certifications or internationally accepted certs like the CISSP. Like with all certifications, nothing beats real world experience but you need to have some certifications under the belt to give customers and employers a comfort blanket. Personally we think that the Offensive Security Certifications are the best ones in the field, as they are really touch hands-on exams rather than multiple choice questions.


December 11, 2014

Today we are sharing a how-to around IT Security. This 4 page cheat sheet is aimed at non-technical IT users. Following those steps can mitigate a vast majority of threats and attack vectors.




Security issues in Latin America

Author: Martin Voelk
December 11, 2014

We have quite a few government and private industry customers in Latin America. We are used to the fact that Security is by far not as advanced as in the U.S. or Europe, but what we encountered recently in 3 different Latin American countries is scary. We won’t be mentioning the countries specifically as we do not want to provide any further details, but as we have a lot of readers from Latin America, this little post should serve as an eye opener.

Piracy Operating Systems

In many Latin American countries you can simply buy any Operating System such as Windows on a street market and many governments don’t have laws against this or don’t enforce it at all in Latin America. No one should do this but so many individuals and businesses do. The problem is that a lot of those cracked OS versions have built-in backdoors which automatically expose the machine on installation and people don’t realise it.

Windows XP

Despite Microsoft’s end of sale / support / patching of Windows XP, we found XP to be the most widely deployed OS in many Latin American countries. This is a hackers dream. High class remote and client side exploits are available and Microsoft won’t patch any more. Bad enough if private persons still use it, shocking that governments have it in use still.

The USB enforcement

Many of the countries in LATAM now try to move taxation duties online. Nice idea, but where is the security? One example is that business owners in certain countries in Latam have to go to the tax office with their report sheets in electronic format. You can guess where this is going….yes. They expect people to put it on a USB which the Admin ladies then plug into their Windows XP systems. That cries out for a client side exploit with auto-run enabled on Windows XP per default.

There are very few security companies operating in Latin America. IT Security is widely neglected. Everyone understands the need for physical security, CCTV, barbed wire etc. but when it comes to online security even governments fail on basic security. We try to play our partner in Consulting and making at least our customers more secure, but it’s a drop in the ocean, so we hope that if people from Latin America read this article they may take IT Security a bit more seriously.


How do Hackers attack?

Author: Martin Voelk
December 9, 2014

We often get asked by our clients, where are those hackers who are behind attacks and how do they disguise themselves? Well, to answer this question it would probably take weeks or even months. Let’s try to put this into a little blog post.

There are 3 categories of individual attackers

The security aware hackers

Those are the guys who know how to cover tracks and disguise themselves. A lot of those guys route their attacks through different countries, the TOR network (an anonymous Network which conceals the real source IP) and compromise weak systems. What are weak systems? Typically schools where teachers with very limited or no IT Security knowledge are responsible for the server maintenance. We had 5 cases recently where corporate clients in the US have been attacked and the forensics revealed that they hacked numerous grammar schools in Europe, installed their tools there and used this to attack. Tracking down those attackers is often hard or impossible.

The stupid hackers

Those are guys who sit in Western countries and start running attack scripts (mainly young teenagers) who are only able to run automated freeware tools. Then they are surprised if law enforcement knocks on their doors.

The hackers who sit outside Western legislation

Not every attacker has to be worried getting caught. Actually a lot of the attacks source from countries which do not cooperate with Western law enforcement or where countries have bad relationships with the United States, European Union or other Western countries. Just to name a few countries where attacks on Western systems will likely not result in any problems for the attackers: China, North Korea, Russia, Syria, Iraq, Afghanistan, Yemen, Sudan, Cuba, Nicaragua, Ecuador, Bolivia, Venezuela and many more in Africa and Asia.

Our customers often get frustrated when we have to tell them that the attacker likely resides outside their home country and even if they involve law enforcement, chances are next to nothing to actually prosecute the attackers. We recommend to be pro-active instead of re-active. Getting your security tested by us and deploy countermeasures is a lot cheaper than waiting for an attack and then firefighting it. The question for any business is not IF an attack is gonna happen….then question is WHEN


How insecure Wireless really is…

Author: Martin Voelk
December 9, 2014

Forget anything you have heard about Wireless Security. In our Wireless Penetration Tests we are able to break into 95% of all tested systems. Why? Because there are so many attack vectors against Wireless Networks.

WEP Encryption

WEP Encryption = No encryption. Breaking a WEP key with or without clients is a matter of minutes.


Capturing the 4 way handshake is a matter of minutes. Having a 34 Gbyte dictionary along with pre-computed rainbow tables of several hundreds of Gigs and Cloud based Crackers gives a success chance of 80%. The remaining 20% are in one or the other way crackable through a social engineering attack where users simply enter their key into a real looking authentication portal. Once the key has been obtained, the possibilities for further attacks are unlimited.

Client Side Attacks

Corporate and private user devices will connect to Evil Twin APs set up by the attacker. This time the goal is to infect the client browsers with malicious malware which in turn provides the attacker with full control over the victim machine.

Man in the Middle Attacks

Fake Hotspots which look legitimate to capture credentials such as emails and passwords, credit card information or PayPal logins. Thereafter any user activity is captured (Websites visited, credentials entered, images browsed). Even SSL connections are being broken by SSL strip where the attacker proxies the SSL connection to an HTTPS website and the user gets simply presented everything in clear text.

Denial of Service

Wireless Jammers are becoming cheaper and cheaper. They can be bought in China and ship without any problems to any country. The chinese companies label it as Access Point and shipping goes through without any problem. The high end boxes cost like $200 each, are twice the size of a cigarette box and come with power packs. Those Jammers block Cell, Wifi and GPS in their vicinity. Imagine 10 of those strategically placed at a competitor office! Many look like air refreshening devices.

Attacks against RADIUS / Corporate Wifi 802.1x

Attacked simulates the Radius server. Users enter credentials. Challenges are captured and can be decrypted, username comes in clear text. This works well because the full mutual client/server authentication circle is often not implemented by default.

Think again if the vendors tell you about great Wireless Security. It’s not that great after all….